Openidm.Delete error - Access denied

Facing issues with using the openidm.delete call in a Next Gen Script. I am trying to delete a user at the end of a journey. I have the _id field and had a “Identify Existing User” node before the scripted node. Wondering why I am getting an access denied on the user.

Error: org.forgerock.openam.auth.node.api.NodeProcessException: javax.script.ScriptException: java.util.concurrent.ExecutionException: javax.script.ScriptException: Wrapped org.forgerock.json.resource.ForbiddenException: Access denied (Delete User#52) in Delete User at line number 52 at column number 0
→ line 52 is the line number in my script.

I followed the scripting reference here: ForgeRock Identity Management 7 > Scripting Guide > Scripting Function Reference

I believe you will need to assign delete permission to openidm-admin role in the the access JSON file.

https://backstage.forgerock.com/docs/idcloud/latest/idm-auth/authorization-and-roles.html

1 Like

Thanks, had my team enable that but I am still getting access denied error. Is there anywhere else that needs to get updated in the tenant?

Hi folks, following up on relevant doc provided by ajaykumar_suri

https://backstage.forgerock.com/docs/idcloud/latest/idm-auth/authorization-and-roles.html

You may need to go through the guide for full context, but I believe this will allow the opening delete method to work for specific users.

The following rule (from a default access.json file) shows the access configuration structure:

{  "pattern"   : "system/*", 
   "roles"     : "internal/role/openidm-admin", 
   "methods"   : "action",    
   "actions"   : "test,testConfig,createconfiguration,liveSync,authenticate"
}

This rule specifies that users with the openidm-admin role can perform the listed actions on all system endpoints.

The parameters in each access rule are as follows:

pattern
The REST endpoint for which access is being controlled. "*" specifies access to all endpoints in that path. For example, "managed/realm-name_user/*" specifies access to all managed user objects.

roles
A comma-separated list of the roles to which this access configuration applies.
The roles referenced here align with the object’s security context (security.authorization.roles). The authzRoles relationship property of a managed user produces this security context value during authentication.

methods
A comma-separated list of the methods that can be performed with this access. Methods can include create, read, update, delete, patch, action, query. A value of "*" indicates that all methods are allowed. A value of "" indicates that no methods are allowed.

I hope you find this helpful.